Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Categories

In this Discussion

Vulnerability in SolusVM Debian 10 template - "debianuser" backdoor/default user - Page 5
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Vulnerability in SolusVM Debian 10 template - "debianuser" backdoor/default user

1235»

Comments

  • entrailzentrailz Member, Host Rep

    @randomq said:

    @duckeeyuck said:
    Hey, what country do you get by looking those IPs up?

    From environment when miner/backdoor were launched:
    SSH_CONNECTION=205.185.125.189 38074 45.132.xx.xxx 22 # hadn't changed port yet

    Frantech, WY, USA:

    NetRange: 205.185.112.0 - 205.185.127.255
    CIDR: 205.185.112.0/20
    NetName: PONYNET-03
    NetHandle: NET-205-185-112-0-1
    Parent: NET205 (NET-205-0-0-0-0)
    NetType: Direct Allocation
    OriginAS: AS53667
    Organization: FranTech Solutions (SYNDI-5)
    RegDate: 2010-09-03
    Updated: 2012-03-25
    Ref: https://rdap.arin.net/registry/ip/205.185.112.0

    OrgName: FranTech Solutions
    OrgId: SYNDI-5
    Address: 1621 Central Ave
    City: Cheyenne
    StateProv: WY
    PostalCode: 82001
    Country: US
    RegDate: 2010-07-21
    Updated: 2017-01-28
    Ref: https://rdap.arin.net/registry/entity/SYNDI-5

    OrgTechHandle: FDI19-ARIN
    OrgTechName: Dias, Francisco
    OrgTechPhone: +1-778-977-8246
    OrgTechEmail: [email protected]
    OrgTechRef: https://rdap.arin.net/registry/entity/FDI19-ARIN

    OrgAbuseHandle: FDI19-ARIN
    OrgAbuseName: Dias, Francisco
    OrgAbusePhone: +1-778-977-8246
    OrgAbuseEmail: [email protected]
    OrgAbuseRef: https://rdap.arin.net/registry/entity/FDI19-ARIN

    There were also these. I'm not on my laptop right now so I can't tell you which were the mining process and which were the backdoor process.

    149.202.83.171 OVH France
    178.128.242.134 DigitalOcean NL
    185.92.222.223 Vultr NL
    37.187.95.110 OVH France
    91.121.140.167 OVH France
    94.23.23.52 OVH France
    94.23.247.226 OVH France

    149.202.83.171 - Mining Pool
    37.187.95.110 - Mining Pool
    91.121.140.167 - Mining Pool
    94.23.23.52 - Mining Pool
    94.23.247.226 - Mining Pool
    178.128.242.134 - xmrig donate pool

    The other one doesn't seem to be related to the mining process.

    Thanked by 1randomq
  • vedranvedran Veteran

    @yoursunny said:
    So the debianuser password is same as the root password?

    I don't think so, at least it doesn't match the hash I found

  • stefemanstefeman Member
    edited February 2021

    @vedran said:

    @yoursunny said:
    So the debianuser password is same as the root password?

    I don't think so, at least it doesn't match the hash I found

    the password is debian10svm

    It's said in here: https://tdn.solusvm.com/

  • vedranvedran Veteran

    From the blog post mentioned in the OP, password hash for debianuser is
    $6$WFiwDS/pPh5PRyPr$wLFwNWzE1vkNWbm2h/qqhSStLdqr0czHNSW6GqnnF5hycGQ.AfFTvNoNfCqegPsjveARh6mITTsqNz9ClYY.b0
    I don't know if that's correct, but it doesn't match debian10svm (openssl passwd -6 -salt WFiwDS/pPh5PRyPr debian10svm)

  • DPDP Administrator, The Domain Guy
    edited February 2021

    @vedran said:
    From the blog post mentioned in the OP, password hash for debianuser is
    $6$WFiwDS/pPh5PRyPr$wLFwNWzE1vkNWbm2h/qqhSStLdqr0czHNSW6GqnnF5hycGQ.AfFTvNoNfCqegPsjveARh6mITTsqNz9ClYY.b0
    I don't know if that's correct, but it doesn't match debian10svm (openssl passwd -6 -salt WFiwDS/pPh5PRyPr debian10svm)

    Yeah it doesn't.

    However, referring to a much newer post at a different website (not that I can understand the Chinese language):

    debianuser:$6$iywrJAKpLAgGntKq$n074dfRpLlcpKVYNOl0cLjbW5LnYh8AS/szYtR2GhrzvibWPrFdqmflyOjpWaBC4YnCvpqEgV3NZ2VPzqeNuM.:18190:0:99999:7:::

    It matches the hash for debian10svm.

    $ openssl passwd -6 -salt iywrJAKpLAgGntKq debian10svm
$6$iywrJAKpLAgGntKq$n074dfRpLlcpKVYNOl0cLjbW5LnYh8AS/szYtR2GhrzvibWPrFdqmflyOjpWaBC4YnCvpqEgV3NZ2VPzqeNuM.
    Thanked by 2vedran tomazu
  • zxrlhazxrlha Member

    Wow, I just see this.
    Checked all my VPS, and it seems all of them are fine. No debianuser, and I have CPU logs which looks fine. I think I do not need to reinstall them.

  • NihimNihim Member

    @ABC said:
    I recently purchased a VPS from RackNerd, I chose Debian 10 template and there was indeed a "debianuser" user, however I've deleted it immediately.
    Should I reinstall? @dustinc

    If it's recently you most likely haven't installed much, so the safer way is to just reinstall.

    Btw key or pass I also like to set AllowUsers which would also block this case.

  • ezethezeth Member, Patron Provider
    edited March 2021

    KVM, openvz 7? Is it only the solusvm template that has this backdoor, or is it the vz template itself?

  • Daniel15Daniel15 Veteran
    edited March 2021

    @ezeth said:
    KVM, openvz 7? Is it only the solusvm template that has this backdoor, or is it the vz template itself?

    KVM. Not sure if it affects OpenVZ as I don't know many hosts that actually use OpenVZ (other than very lowend NAT providers).

    The backdoor was specifically in SolusVM's template from https://tdn.solusvm.com/.

  • Daniel15Daniel15 Veteran

    I just noticed that this was covered in a news article by TheRegister last month: https://www.theregister.com/2021/02/07/in_brief_security/

    Beware SolusVM Debian, it might not be secure

    Linux hosting provider RackNerd has warned that VPS customers running the Debian 10 template provided by SolusVM may be vulnerable to potential abuse. The Los Angeles-based hosting biz has found that the Debian 10 template from the SolusVM TDN, offered as an alternative to the more onerous manual installation process, creates an unexpected user account.

    “When SolusVM’s team initially created the Debian 10 template and published it on the TDN, they failed to remove the default installation user ‘debianuser’ prior to creating the OS template based upon that installation,” the firm explained in an email to affected customers. “This resulted to two users being active on VPS’s deployed on this template, ‘root’ and ’debianuser.’

    ”The notice follows reports from other hosting providers like Florida-based Hosthatch that they’ve detected compromised “’debianuser” accounts in VMs running Debian from a SolusVM template. A discussion of the issue cites a Chinese blog post complaining about a similar VPS compromise at GreenCloudVPS last October that led the account to find a Monero mining program running without authorization on the “debianuser” account.

    Among those discussing the vulnerability, it’s been suggested that the “debianuser” account has a weak default password, and may come with “sudo” installed, itself recently found to be vulnerable. Plesk, which oversees SolusVM, did not immediately respond to a request for comment.

  • MikePTMikePT Moderator, Patron Provider, Veteran

    @Daniel15 said:
    I just noticed that this was covered in a news article by TheRegister last month: https://www.theregister.com/2021/02/07/in_brief_security/

    Beware SolusVM Debian, it might not be secure

    Linux hosting provider RackNerd has warned that VPS customers running the Debian 10 template provided by SolusVM may be vulnerable to potential abuse. The Los Angeles-based hosting biz has found that the Debian 10 template from the SolusVM TDN, offered as an alternative to the more onerous manual installation process, creates an unexpected user account.

    “When SolusVM’s team initially created the Debian 10 template and published it on the TDN, they failed to remove the default installation user ‘debianuser’ prior to creating the OS template based upon that installation,” the firm explained in an email to affected customers. “This resulted to two users being active on VPS’s deployed on this template, ‘root’ and ’debianuser.’

    ”The notice follows reports from other hosting providers like Florida-based Hosthatch that they’ve detected compromised “’debianuser” accounts in VMs running Debian from a SolusVM template. A discussion of the issue cites a Chinese blog post complaining about a similar VPS compromise at GreenCloudVPS last October that led the account to find a Monero mining program running without authorization on the “debianuser” account.

    Among those discussing the vulnerability, it’s been suggested that the “debianuser” account has a weak default password, and may come with “sudo” installed, itself recently found to be vulnerable. Plesk, which oversees SolusVM, did not immediately respond to a request for comment.

    It wasn't Racknerds who found it though.

    Thanked by 2lentro default
  • naturalnatural Member

    reinstalled.

  • TimboJonesTimboJones Member

    @natural said:
    reinstalled.

    Cool story, bro.

    Thanked by 6angstrom its420somewhere lentro bulbasaur skorous drunkendog
  • hostnoobhostnoob Member

    Thankfully I'm still running Debian 6 so I'm safe

  • angstromangstrom Moderator

    @hostnoob said:
    Thankfully I'm still running Debian 6 so I'm safe

    Brilliant -- why didn't we think of this?

  • hostnoobhostnoob Member

    Wait, didn't realise this thread was so old before I posted that. Could have sworn it was on the front page

  • jbilohjbiloh Administrator, Veteran

    @hostnoob said:
    Wait, didn't realise this thread was so old before I posted that. Could have sworn it was on the front page

    It's OK, it was worth a good laugh.

  • theeducatedfktheeducatedfk Member

    yeah thats long gone even if some random servers in asia still have it most comapnies def got rid of it

Sign In or Register to comment.